Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 6 #8 [ALERT] It's Here. New Ransomware Hidden In Infected Word Files

    CyberHeist News CyberheistNews Vol #6 #08 Feb 22, 2016
    [ALERT] It's Here. New Ransomware Hidden In Infected Word Files
    Stu Sjouwerman

    It was only a matter of time, but some miscreant finally did it. There is a new ransomware strain somewhat amateurishly called "Locky", but this is professional grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment which has malicious macros in it, making it hard to filter out.

    Over 400,000 workstations were infected in just a few hours, data from Palo Alto Networks shows. Antivirus engines are being updated to catch it but many of them took a day or so.

    The bad guys use social engineering twice to trick the user first into opening the attachment, and then to enable the macros in the Word file. The malicious code itself was written in Office VBA, and closely mimics Dridex Banking Trojan infections, suggesting it is the same cybermafia behind it.

    Once an employee enables the macros, the macros will download an executable from a remote server and execute it. The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on the workstation, then both mapped and unmapped network drives.

    What To Do About It

    At this time, there is no known way to decrypt files encrypted by Locky. At the KnowBe4 blog, we have a lot more links and information, showing all the points of failure that would allow Locky to get into your systems, and also a little-known way to disable macros network-wide to prevent malicious code like this to encrypt your files.

    Learn how to keep this nasty out now:
    https://blog.knowbe4.com/its-here.-new-ransomware-hidden-in-infected-word-files
    Scam Of The Week - Netflix For No Charge

    Netflix’s popularity continues to grow fast, and they recently launched their streaming service globally. Obviously that makes them a hacker target. At the moment, there are active malware and phishing campaigns targeting Netflix users. The operations are fairly sophisticated, so it is likely this is the work of an Eastern European cybermafia.

    Some of the campaigns are dropping actual malware on the box, others phish for the user's login and/or payment information and sell these on the dark web. All of the campaigns start with some form of social engineering.

    In the case of malware, users infect their machine at the moment where they are tricked into acting on a fake ad for a cheaper version of Netflix. Once installed, the malware poses as Netflix and compromises the system with a Trojan.

    Symantec researchers wrote about one good example of credentials-phishing that targets Danish Netflix users. A fake email tried to trick them into updating their account due to a payment issue, mistakenly sending their bank details directly into the hands of cyber scammers.

    I suggest you send the following to your employees, friends and family: "Cybercriminals are targeting Netflix users with several scams you need to watch out for. Some of these scams claim you need to update your payment information, and others try to trick you into downloading software for a cheaper version of Netflix. Do not fall victim for any of these tricks.

    "Only download Netflix software from the Netflix website or official app stores, and always go to these websites yourself instead of clicking on a link in an email. Also, if you receive an email that looks like it is from Netflix, and claim you need to update payment information, do not click on any links or open any attachments. Go to the Netflix website yourself using your browser and check your account. Call their customer service if you want to be 100% sure, using the 800 number you found on their website."

    For KnowBe4 customers, send your users a phishing security test to inoculate them against Netflix scams. You can find the template in Phishing -> Email Templates -> System Templates -> Current Events -> "Netflix Alerts: Your payment was declined". This template has a difficulty rating of 4 out of 5.

    Let's stay safe out there.
    New Cloudmark Report On Phishing: Have They Gone Off Their Rocker?

    Robert Lemos of eWEEK interviewed Angela Knox, senior director of engineering and threat research for Cloudmark related to their new Feb 11 security threat report.

    "While the stereotypical phishing attack may be grammatically challenged, the popular attack method continues to be effective, according to Cloudmark's report.

    While phishing attacks have a reputation for being poorly written and fairly obvious in their attempts to con users, the attacks continue to be a problem for most companies, according to the report.

    Ninety-one percent of companies encountered phishing attacks in 2015, with the lion's share —84 percent— of companies claiming attacks successfully snuck past their security defenses, according to a survey of 300 U.S. and UK firms conducted as part of the report.

    A relatively simple attack—sending a message to the accounting department purportedly from the company CEO—has become quite popular, with 63 percent of companies having encountered the tactic.

    "Even though companies are taking actions, it is still one of the easiest ways in," Angela Knox, senior director of engineering and threat research for Cloudmark, told eWEEK. "It is much easier for someone to hack a human by going through email than to attempt to find a zero day."

    Up to that point I was all in agreement, and then she went sideways and came out with a statement that had my mouth hang open in disbelief: "Training is the stop-gap measure that you use if the technology is not providing you defenses you can rely on," she said. "If the technology is protecting you, you don't need training."

    Oh, really?

    Well, let me answer with a quote of Bruce Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." He also constantly makes the point that "Security is a process, not a product. No system is perfect; no technology is ‘The Answer’."

    Technology is mostly reactive and usually runs days behind after new attacks. Look at the fresh Locky ransomware attack: 400,000 infections in just a few hours sailing through all the existing defenses by social engineering end-users.

    Effective security awareness training is a must these days. Here is the story in eWEEK. Leave a comment and tell them if you agree or not?
    http://www.eweek.com/security/phishing-attacks-continue-to-sneak-past-defenses.html
    Warm Regards,
    Stu Sjouwerman

    Quotes Of The Week

    "Everything I've learned the hard way was based on a statistically invalid sample."
    - Jay Davis

    "We are not human beings having a spiritual experience. We are spiritual beings having a human experience."- Pierre Teilhard de Chardin

    Thanks for reading CyberheistNews

    Security News
    Meet Kevin Mitnick in KnowBe4’s Booth
    3024 at RSA

    Going to RSA in San Francisco this year? Stop by KnowBe4’s Booth 3024, North Hall

      • Mitnick Monday! Meet Kevin Mitnick, KnowBe4's Chief Hacking Officer Monday, February 29, 5-7 PM at KnowBe4’s Booth.
      • Also, EVERYONE will receive a real Kevin Mitnick collectible stainless steel lock-pick business card all week long.
      • See a demo of the innovative Kevin Mitnick Security Awareness Training Platform to train and phish your users.

      • Be entered to win an awesome Drone.

    PS, Don't have your pass yet? We've got you covered. Use code XEKNWBE416 to register for your complimentary Exhibit Hall Only Pass. Hurry, the code expires February 26.
    http://www.rsaconference.com/events/us16/register

    See you in San Francisco!

    Stu Sjouwerman,
    CEO KnowBe4, Inc
    Word Doc Can Shut Down U.S. Hospital Computers And Cancer Treatment Equipment

    Steve Morgan, Contributor to Forbes Magazine wrote about the Locky ransomware and covered the recent shutdown of a U.S. hospital systems along with equipment used to treat cancer patients.

    Hollywood Presbyterian Medical Center in Los Angeles, Calif. declared an internal emergency earlier this month when the hospital had its computer systems cyber attacked and held ransom by hackers, according to an NBC News report.

    This is a great article to send to management if you need budget approval for security awareness training. Morgan mentions KnowBe4 as a vendor:
    http://www.forbes.com/sites/stevemorgan/2016/02/18/word-doc-can-shutdown-u-s-hospital-computers-and-cancer-treatment-equipment/#4ef090975141
    44% Of Ransomware Victims In The UK Have Paid To Recover Their Data

    Danielle Correa at SC Magazine wrote: "A Bitdefender global study with respondents from the UK, the US, France, Germany, Denmark and Romania was conducted by iSense Solutions to discover what motivates victims to pay ransoms and how much they value their data.

    The study revealed that half of users cannot identify ransomware as a type of threat that prevents or limits access to computer data. Personal documents were the top priority for users to recover.

    US users are the most sought-after targets for spam emails with 61.8 percent of all email distributed malware files containing some form of ransomware while the UK had 54.5 percent containing ransomware. More:
    https://blog.knowbe4.com/44-of-ransomware-victims-in-the-uk-have-paid-to-recover-their-data
    So, What Does That .DOCM Extension Really Mean?

    Subscriber Jim sent me this: "This morning, had mail from an unknown.. with an attachment (go figure, right!). It had an extension that I wasn't familiar with, so being the curious person I am I looked it up. The extension on the attached document was .DOCM.

    Info from a couple different locations: first the definition of what a "docm" type document is.. "DOCM uses Extensible Markup Lanugage, or XML, for better security, smaller file sizes and improved data recovery for your business documents. The "M" in the file extension means the Word document contains programming elements, called macros; this contrasts with DOCX format, which does not contain macros."

    Something you might note with that description is the -macros- part. From the security items that have been floating into the mailbox lately, that's yet another version of an attack.

    From the Office website, a listing of various extensions that are in play with Office:
    https://support.office.com/en-us/article/Introduction-to-new-file-name-extensions-eca81dcb-5626-4e5b-8362-524d13ae4ec1

    As always, if you're not familiar with the sender, or even if you ARE familiar with the sender, check with that person to verify they did indeed (or did NOT) send you mail with an attachment.

    Cyberheist 'FAVE' LINKS:
    This Week's Links We Like, Tips, Hints And Fun Stuff


     

    Return To KnowBe4 Security Blog
    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews